The Netherlands Data Protection Authority slammed Booking.com with a €475,000 fine (around $560,860) for a data breach that exposed sensitive information of over 4,109 customers. The Dutch data privacy watchdog claimed that Booking.com delayed reporting about the incident. Booking.com is a Dutch online travel agency for lodging reservations.
According to a report from Autoriteit Persoonsgegevens (AP), threat actors illicitly broke into the Booking.com system and managed to extract the login credentials of employees belonging to 40 hotels in the United Arab Emirates. Hackers used phishing and social engineering techniques to trick the employees into revealing the login credentials. They allegedly accessed users’ sensitive information including names, addresses, telephone numbers, and hotel booking details. The threat actors also obtained the credit card details of over 300 victims.
“Booking.com customers ran the risk of being robbed here. Even if the criminals did not steal credit card details, but only someone’s name, contact details, and information about his or her hotel booking. The scammers used that data for phishing. By pretending to belong to the hotel by phone or email, they tried to take money from people. This can be very credible if such a scammer knows exactly when you have booked which room. And asks if you want to pay for those nights. The damage can then be considerable,” said AP Vice President Monique Verdier.
Booking.com noticed the security incident on its systems on January 13, 2019, informed the affected customers on February 4, 2019, and reported it to the authorities on February 7, 2019 — 22 days after the incident, putting customers’ personal information at risk.
As per Article 33 of the European General Data Protection Regulation (GDPR), organizations are mandated to report a security incident within 72 hours. Failing to obey this guideline would attract huge penalties. Ever since the GDPR was launched (on May 25, 2018), the data regulators in European Union (EU) have imposed sizable penalties on various organizations that misused customer information or failed to report any security incidents.
“This is a serious violation. A data breach can, unfortunately, happen anywhere, even if you have taken good precautions. But to prevent damage to your customers and the repetition of such a data breach, you have to report this in time. That speed is very important. In the first place for the victims of a leak. After such a report, the AP can, among other things, order a company to immediately warn affected customers. To prevent criminals from having weeks to continue trying to defraud customers, for example,” Verdier added.
Consequences of Data Breach
The breach of sensitive information could bring severe security risks to the users whose data was affected or compromised. Threat actors could misuse the compromised information for personal gains like selling it on the dark web, launching spear-phishing, or credential-stuffing attacks.
Organizations must ensure that their employees are aware of various social engineering and phishing attacks. Despite enhanced security measures, sometimes companies fall prey to evolving cyberthreats with grievous consequences. Reporting security incidents to the data privacy authorities will help organizations investigate the situation and avoid unnecessary fines.